Neil J. RubenkingVoodooSoft VoodooShieldVoodooShield takes a whitelist approach to antivirus protection, but without getting in the user's way. A new machine-learning component brings it closer to the abilities of a standalone antivirus.

Could possibly whitelist malware running prior to installation. Flagged some legitimate programs as suspicious, some as malicious.

Bottom Line

VoodooShield takes a whitelist approach to antivirus protection, but without getting in the user's way. A new machine-learning component brings it closer to the abilities of a standalone antivirus.

Suppose you have a PC that's guaranteed clean and malware-free. You could keep it pristine by simply preventing any new programs from launching. You wouldn't need traditional antivirus protection at all! But you also wouldn't be able to update your applications, or install new programs. That sort of extreme whitelisting is just too rigid. VoodooSoft's VoodooShield takes a softer approach. By default, it blocks new unknown programs only when your system is at risk. New for version 3.0, VoodooShield adds AI-based detection of malware, but you should still use it in conjunction with a more traditional antivirus.

You can use VoodooShield's basic features for free in a noncommercial setting. However, if you pay for the $19.99 per year subscription you also get tech support, the ability to adjust settings, and other advanced features. This is a review of the paid edition, though most of what I describe in this review applies to both the free version as well.

Getting Started After the quick, simple installation, the program asks you to choose an initial security mode, spelling out the choices clearly. AutoPilot mode requires less user interaction, but is just slightly less secure. Application Whitelisting Mode beefs up security at the expense of needing more responses from you, the user. At this point, the program creates an initial whitelist that includes all programs running on the system.

Yes, if malware is already running, it gets whitelisted along with the rest. If you're at all concerned, scan the system with a tool like Malwarebytes Anti-Malware 2.0 before installing VoodooShield.

A big welcome screen offers a simple description of how the program works. In short, it says that instead of trying to detect and block bad programs from running the way typical malware protection tools do, VoodooShield only allows good (whitelisted) programs to launch.

The next screen explains that in its automatic mode, the program's protection turns on when you're at risk, and turns off when you're not. Yes, it may block something you intended to run—in that case, just click a button to allow that program. You can also turn it off temporarily in order to install new programs.

Confused at all? It is, admittedly, not your usual antivirus. New since the previous edition, a full user manual is available for those who want to dig in for a deeper understanding.

On, Smart, and OffAll you normally see of VoodooShield is a tiny shield-shaped icon in the bottom-right corner of your screen. You can move it to a different location, and right-click it for a simple menu that, among other things, lets you control the program's operational mode.

When VoodooShield is turned off, it's in training mode, which means that it whitelists every program you run. The shield icon turns red and displays OFF. Use this mode when you're installing a new program from a trusted source.

When you turn VoodooShield on, the shield turns blue and displays ON, and it snapshots every program that's running. It blocks execution of any other program that isn't already on the whitelist. If it blocks access to a program you intended to launch, click the notification-area popup to reveal the full details, and then click Allow. If you don't recognize the program, click Block. Or you can just ignore it; VoodooShield blocks automatically after 20 seconds.

For the first while after you install VoodooShield, you may see quite a few of these popups. You can reduce the popup clutter by enabling Smart mode. The logic behind this mode is simple. It assumes that you don't have malware already present on your computer, so the only way malware can enter is from the Internet or from a removable drive. In Smart mode, VoodooShield defaults to off, and it whitelists programs you run. But if you connect to the Internet or insert a USB drive, it turns on.

VoodooAi and Scanning In the past, I've advised using VoodooShield in conjunction with a more traditional antivirus, perhaps Bitdefender Antivirus Plus 2016, McAfee AntiVirus Plus, or another of our Editors' Choice antivirus tools. The VoodooShield FAQ points to Webroot as a particularly compatible choice. The current version of the product comes closer to having the abilities of a standalone antivirus, but buddying up with a traditional antivirus is still a good idea.

The product now includes a machine-learning tool called VoodooAi. Trained with thousands of samples of malware and valid files, three analysis systems develop internal models of the characteristics that distinguish the two groups. They don't look for specific malware signatures, or for malware-like behaviors. Rather, they track some 40 file characteristics that differ significantly in the two groups.

Supplementing this machine-learning engine, VoodooShield checks any blocked file against the database of a well-known multiengine antivirus scanning service. Legal and contractual issues prevent the company from naming that service, but you can surely guess. And yes, while the service in question can't legitimately be used as a primary detection engine, checking files that have already been blocked is OK.

According to my contact at VoodooSoft, "If the VoodooAi result is super low, say 0.2000 or less, and all of the results from the 57 engines are clean, then the file is safe." Conversely, a very high VoodooAi result suggests that something is wrong with the file, whether or not it's actually malware.

Running on AutoPilotThe new AutoPilot mode takes advantage of these two detection methods to make VoodooShield act more like a true antivirus and less like a whitelist-only product. It temporarily blocks any program that's not whitelisted, just long enough to get a VoodooAi score and check the online scanning service. Any file that gets a clean bill of health from both is allowed to execute without hindrance. In this mode, the shield stays blue and displays AUTO.

For a file that seems to be malware, VoodooShield offers several options. Besides merely blocking the file's execution, you can choose to quarantine it, just as you can with Symantec Norton AntiVirus Basic, Kaspersky Anti-Virus, and most traditional antivirus tools.

When VoodooShield blocks a file as malicious, not merely unknown or suspicious, the Allow button changes to Allow False Positive. If you click it, you must confirm that you know what you're doing, and that running the file could introduce malware.

Hands On For a real-world test, I tried launching each of the malware samples that I use in regular antivirus testing. VoodooShield blocked all of them, naturally, since they were not whitelisted. It also identified them all as malware. Webroot SecureAnywhere AntiVirus also detected 100 percent of these samples.

Clicking a Details link in the popup warning allowed me to see how the program rated with all three VoodooAi components, and also listed the names applied to the program by up to 57 antivirus engines. Most of my samples were caught by 40 or more of the engines. None were flagged by fewer than 25 of them.

I also launched 20 PCMag utility programs. These are legitimate programs that aren't commonly used, since the PCMag utility library has shut down. VoodooShield blocked eight of them, giving a clear message as to why it did so. In one case, it stated that while the file was unknown to the scanning site, VoodooAi deemed it safe. It flagged four as suspicious based on VoodoAi analysis, noting that the virus-scanning site considered them clean.

The remaining three were true false positives—valid programs identified as malware. In each case, VoodooAi rated the file unsafe and exactly one of the 57 engines on the scanning site identified it as malware. It's certainly true that with 57 different engines you have 57 opportunities for a false positive.

Going Cuckoo VoodooShield includes a local sandbox mode, designed to let you run iffy programs without permitting them to make risky changes to the file system or Registry. However, I never found it very useful, as any application that requires Administrator-level access won't function properly in this sandbox. Version 3.0 adds the ability to run suspect programs in the online and open-source Cuckoo sandbox.

When testing with my standard malware samples, I initially sent each to the Cuckoo sandbox. The process is impressive. You can actually watch the malware running in a virtual machine via Remote Desktop Access. Analysis can take a while; I didn't time it, but five minutes seems about right.

On completing its analysis, Cuckoo presents you with a ton of information about the tested program, including a malware rating on a scale of 10 and the characteristics that went into that rating. For example, a file that deletes its original binary from disk is suspect, as is one that wipes the evidence of its own download. But the one red flag common to every sample was this: "File has been identified by at least ten Antiviruses on VirusTotal as malicious."

In fact, I confirmed that a file with just that red flag and no other rated 10 of 10 on the malware scale. At that point I stopped spending the extra time to run each sample through Cuckoo.

I also ran the legitimate utilities flagged by VoodooShield through the sandbox. All but one ranged from 3.3 to 5 on the malware scale. One of them, designed to report deep details about the system, got flagged as total malware, because its behavior suggested an attempt to hide from virtualization tools.

I found the sandbox scan fascinating, but the average user almost certainly would not. There's no requirement to use Cuckoo, fortunately.

Advanced Settings One of the things you get by opting for the paid version is full access to the program's advanced settings. Note that you can certainly use VoodooShield without ever touching these. In fact, many of the settings are aimed at a managed situation in which IT controls what users can do with the program. I won't attempt an exhaustive discussion of all the settings.

Two settings pages that might prove useful are Whitelist and Quarantine. Not only can you see all the programs you (or VoodooShield) have whitelisted, you can remove any that were whitelisted in error. In a similar fashion, you can see all the quarantined files and optionally delete them permanently. In the unlikely event that you managed to quarantine a valid file, you can restore it.

On the Utility page you can back up and restore the whitelist, or back up and restore your settings. This is also the page that allows an IT administrator to define a password, preventing users from making changes to the settings. In a multi-PC installation, the administrator can log into VoodooShield online to sync whitelists between computers.

In Smart mode, VoodooShield turns from off to on when a Web-aware application launches. The Web Apps page lists all of the apps it tracks, highlighting any that are currently connected. It also lets you add custom browsers and other Web-aware apps to the list.

Among other things, the settings page lets you tweak VoodooAi's sensitivity from its default Balanced mode down to Reckless or up to Paranoid. You can tweak UI elements such as the transparency of the shield icon. You can also control how VoodooShield handles programs in specific folders.

If you launch the Settings dialog from the free edition, the program suggests that you upgrade to the paid edition. If you decline to upgrade, you'll still see all of the settings. You just won't be able to change them.

An Evolving Solution A pure whitelisting solution, where any new file just won't execute, would be too annoying for the average user. VoodooShield's ability to lock down the computer only when there's potential for risk balances security with convenience. The new VoodooAi system, in conjunction with use of a multiengine scanning service, brings this program closer to being a true standalone antivirus.

VoodooSoft VoodooShield

Bottom Line: VoodooShield takes a whitelist approach to antivirus protection, but without getting in the user's way. A new machine-learning component brings it closer to the abilities of a standalone antivirus.

Read More

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

VoodooSoft VoodooShield

VoodooSoft VoodooShield

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.